b'                                                                  Issue Date\n                                                                  March 24, 2011\n                                                                  Audit Report Number\n                                                                  2011-DP-0006\n\n\n\n\nTO:          Douglas A. Criscitello, Chief Financial Officer, F\n             Mercedes M. M\xc3\xa1rquez, Assistant Secretary for Community Planning and\n                Development, D\n             Jerry E. Williams, Chief Information Officer, Q\n\n\nFROM:        Hanh Do, Director, Information Systems Audit Division, GAA\n\nSUBJECT:     HUD\xe2\x80\x99s Controls Over Selected Configuration Management Activities Need\n             Improvement\n\n\n                                     HIGHLIGHTS\n\nWhat We Audited and Why\n\n\n        We audited the U.S. Department of Housing and Urban Development\xe2\x80\x99s (HUD) controls\n        over selected configuration management (CM) activities. This audit was based on work\n        performed during our fiscal year 2009 and 2010 reviews of information system security\n        controls in support of the annual financial statement audits. During those audits, we\n        identified weaknesses in security controls over selected CM activities.\n\x0cWhat We Found\n\n\n      Although HUD had processes and procedures for managing the configurations of systems\n      in HUD\xe2\x80\x99s computing environment, those procedures were not always followed.\n      Specifically, (1) CM documentation for the eTravel and Integrated Disbursement and\n      Information System (IDIS) Online systems was outdated, and (2) HUD did not\n      consistently follow its own Configuration Change Management Board (CCMB) review\n      and approval process.\n\n\nWhat We Recommend\n\n\n      We recommend that the Office of the Chief Financial Officer update the CM plan for the\n      eTravel system and ensure that contractor support staff reviews application CM\n      documentation at least annually and updates the documentation when changes occur.\n\n      We recommend that the Assistant Secretary for Community Planning and Development\n      update the CM plan for IDIS Online and ensure that contractor support staff reviews\n      application CM documentation at least annually and updates the documentation when\n      changes occur.\n\n      We recommend that the Office of the Chief Information Officer ensure that all products\n      running on the HUD information technology infrastructure are CCMB approved and that\n      products selected for pilot testing are CCMB approved before conducting the test.\n\n      For each recommendation without a management decision, please respond and provide\n      status reports in accordance with HUD Handbook 2000.06, REV-3. Please furnish us\n      copies of any correspondence or directives issued because of the audit.\n\n\nAuditee\xe2\x80\x99s Response\n\n\n      The draft audit report was issued on February 22, 2011, and written comments were\n      requested from each of the report\xe2\x80\x99s addressees by March 8, 2011. We received written\n      comments dated March 2, 7 and 14, 2011. The Office of the Chief Financial Officer,\n      Office of Community Planning and Development, and Office of the Chief Information\n      Officer generally agreed with the recommendations in our report.\n\n      The complete text of each auditee\xe2\x80\x99s response, along with our evaluation of those\n      responses, can be found in appendix A of this report.\n\n\n\n\n                                              2\n\x0c                         TABLE OF CONTENTS\n\nBackground and Objectives                                                      4\n\nResults of Audit\n\n     Finding 1: CM Documentation for eTravel and IDIS Online Was Outdated      5\n     Finding 2: HUD\xe2\x80\x99s CCMB Review and Approval Process Was Not Consistently    9\n                Followed\n\nScope and Methodology                                                         12\n\nInternal Controls                                                             13\n\nAppendix\n\n   A. Auditee Comments and OIG\xe2\x80\x99s Evaluation                                   14\n\n\n\n\n                                        3\n\x0c                           BACKGROUND AND OBJECTIVES\n\nThe U.S. Department of Housing and Urban Development (HUD) relies extensively on\ninformation technology (IT) to carry out its mission and provide services to the American public.\nGiven the prevalence of cyber threats today, HUD must manage its IT assets with due diligence\nand take the necessary steps to safeguard them while complying with Federal mandates and the\ndictates of good stewardship.\n\nWithin HUD, the Office of the Chief Information Officer (OCIO) is responsible for the security\nof IT resources. One of the major goals of OCIO is to maintain an enterprise security program\nthat meets all security and privacy-related regulations, statutes, and Federal laws. OCIO\ncoordinates, develops, and implements IT security policy and procedures for HUD.\n\nConfiguration management (CM) is one component within the entitywide security program\nunder OCIO\xe2\x80\x99s area of responsibility. According to the National Institute of Standards and\nTechnology (NIST), CM provides assurance that the system in operation is the correct version\n(configuration) of the system and that any changes to be made are reviewed for security\nimplications. CM can be used to help ensure that changes take place in an identifiable and\ncontrolled environment and that they do not unintentionally harm any of the system\xe2\x80\x99s properties,\nincluding its security. To achieve this objective, HUD established the Configuration Change\nManagement Review Board (CCMB) to ensure that all changes made to the HUD IT\ninfrastructure and system development platforms take place through a rational and orderly\nprocess.\n\nThe Office of the Chief Financial Officer\xe2\x80\x99s (OCFO) eTravel system is a critical system that\nsupports HUD\xe2\x80\x99s travel needs. eTravel is the Web service interface between the HUD Central\nAccounting Program System and the FEDTraveler.com system.1 According to HUD\xe2\x80\x99s Inventory\nof Automated Systems, HUD\xe2\x80\x99s Integrated Disbursement and Information System (IDIS) Online\nis a Web-based grants management system used by the Office of Community Planning and\nDevelopment (CPD) to automate the administration of grants, including those grants established\nby the American Recovery and Reinvestment Act of 2009. IDIS Online is used by more than\n1,200 HUD grantees, including urban counties and States, to plan activities, draw down program\nfunds, and report on accomplishments. IDIS Online has more than 15,000 individual grantee\nusers as well as several hundred HUD headquarters and field office users.\n\nOur overall objectives were to determine whether (1) CM plans for the selected applications\nwere kept up to date and (2) selected software products followed HUD\xe2\x80\x99s CM policies.\n\n\n\n\n1\n    FEDTraveler.com is an enterprise solution for Government Travelers.\n                                                         4\n\x0cFinding 1: CM Documentation for eTravel and IDIS Online Was\nOutdated\nCM documentation for eTravel and IDIS Online was not compliant with NIST Special\nPublication (SP) 800-532 and HUD\xe2\x80\x99s own internal policies and procedures. This condition\noccurred because neither OCFO nor CPD ensured that contractors responsible for maintaining\nthese CM plans kept them up to date in accordance with the most current HUD CM policy,\nprocedures, and template. Because system configuration documentation was not kept up to date,\nHUD risked providing improper organizational and strategic directions and could not ensure that\nresource assignments for the implementation would be adequately provided.\n\n\n\nCM Documentation Was Outdated\n\n\n                   CM documentation for the eTravel and IDIS Online systems was outdated. We\n                   reviewed the CM plans for the systems and determined that the plans did not\n                   follow CM guidance contained in HUD\xe2\x80\x99s Software Configuration Management\n                   Policy (Handbook 3252.1) and the HUD software configuration plan template.\n                   Plans for both systems lacked information as follows:\n\n                       \xef\x82\xb7   The Roles and Responsibilities section did not include development, test,\n                           and production groups that are part of the CM process personnel to ensure\n                           proper authorization, testing, approval, and tracking of all configuration\n                           changes; and\n\n                       \xef\x82\xb7   The Information section did not include contact information for the\n                           supporting groups mentioned above that may be needed for informational\n                           and troubleshooting purposes.\n\n                   In addition, the CM plans for both systems contained outdated information, as\n                   outlined in the tables for each system below:\n\n                           Outdated Information in the eTravel CM Plan\n1       Section 1.3, Project References, contained a reference to the HUD System Development\n        Methodology (SDM), dated August, 2005, although the document had been revised and\n        updated as of January 2009. It also contained a reference to the HUD ADP [automated data\n        processing] Documentation Standards, Handbook 2400.15, which was cancelled in April\n        2002. However, it did not reference the HUD Software Configuration Management Policy\n        Handbook (3252.1) or the HUD Software Configuration Management Procedures, which\n        are HUD\xe2\x80\x99s primary CM documents.\n\n\n2\n    NIST SP 800-53: Recommended Security Controls for Federal Information Systems and Organization\n                                                       5\n\x0c2       Section 1. 2.1, FedTraveler P221, did not clearly identify the eTravel system environment.\n        It did not identify the vendor for each product used or provide the hardware information for\n        each server or list the operating system. Further, the hardware and software information for\n        the development/test environment should be listed if it is different from the production\n        environment. The CM server information, such as CM tool version and server name, was\n        excluded. In addition, this section and section 2.4, Tools, still listed the old CM tool.\n3       Section 1.6, Points of Contact, listed outdated personnel information for the government\n        technical representative. Also, section 1.6.2, Coordination, still listed people who had left\n        HUD. For example, the point of contact for server/operations support had retired, and the\n        point of contact for Office of Information Technology (\xe2\x80\x9cOIT-Infrastructure\xe2\x80\x9d) had left HUD.\n4       The eTravel CM plan did not follow the HUD SDM software configuration plan template.\n        The following sections were missing: Baseline Identification, Measurements, Configuration\n        Status Accounting, Configuration Management Libraries, Release Management, and\n        Configuration Audits. In addition, the plan did not have a System Overview section\n        covering required information such as system environment or special conditions.\n\n\n                         Outdated Information in the IDIS Online CM Plan\n1       Section 1.4, Project References, contained references to the HUD Configuration\n        Management Policy, dated February 2001, and the HUD Software Configuration\n        Management Procedures, dated October 2007, although the documents had been revised and\n        updated as of July 2008 and January 2010, respectively. In addition, references to the\n        project management plan, quality assurance plan, and risk assessment plan did not clearly\n        specify whether they referred to IDIS\xe2\x80\x99 plans or other Federal publications. Also, the\n        Integrated Disbursement and Information System Configuration Management Plan, dated\n        January 2006, listed in this section could not be located for verification.\n2       Section 1.3, System Overview, did not clearly identify the system environment. It only\n        identified some servers that serve as the hosts for SiteMinder3 and Lightweight Directory\n        Access Protocol4 as well as the application and database servers. It did not list the servers\n        that host MicroStrategy, which is a business intelligence reporting tool used by IDIS Online,\n        or provide the hardware information for each production server or identify the operating\n        system that the application was running under. Further, the hardware and software\n        information for the development/test environment should be listed since the CM process\n        involves the activities conducted on both development and test servers. The plan also left\n        out its CM server\xe2\x80\x99s information such as CM tool version and server name. In addition, the\n        interface information, such as interface type, data, and frequency of the interfaced\n        applications\xe2\x80\x99 organizations, was not provided.\n\n                    NIST SP 800-53, section CM-9, Configuration Management Plan, states, \xe2\x80\x9cThe\n                    organization develops, documents, and implements a configuration management\n                    plan for the information system that: a. Addresses roles, responsibilities, and\n                    configuration management processes and procedures; b. Defines the configuration\n                    items for the information system and when in the system development life cycle\n                    the configuration items are placed under configuration management; and c.\n3\n    SiteMinder is an authentication and security tool.\n4\n  Lightweight Directory Access Protocol is an Internet protocol that e-mail and other programs use to look up\ninformation from a server.\n                                                         6\n\x0c                  Establishes the means for identifying configuration items throughout the system\n                  development life cycle and a process for managing the configuration of the\n                  items.\xe2\x80\x9d\n\n                  HUD Software Configuration Management Policy Handbook (3252.1), section 3-\n                  2, HUD Software Configuration Management Policies, item B, states, \xe2\x80\x9cPrepare a\n                  SCM5 plan for each software project according to the documented procedure for\n                  managing the configuration to the software, review it annually, and update it\n                  when changes occur. The plan shall comply with HUD SDM Software\n                  Configuration Plan template.\xe2\x80\x9d\n\n                  Absent updated documentation, HUD risks that (1) outdated policies and plans\n                  may not address current risk and, therefore, be deemed ineffective; (2) programs\n                  and program modifications might not be properly authorized, tested, and approved\n                  and access to and distribution of programs may not be carefully controlled; and\n                  (3) organizational strategic directions and resource assignments for\n                  implementation cannot be adequately provided.\n\n\nConclusion\n\n\n\n                  CM documentation for eTravel and IDIS Online was not kept up to date. Neither\n                  OCFO nor CPD ensured that the contractors responsible for maintaining the\n                  eTravel and IDIS Online CM plans kept the information up to date in accordance\n                  with the most current HUD CM policy, procedures, and template. If system\n                  software CM documentation is not kept up to date, HUD risks providing improper\n                  organizational and strategic directions and cannot ensure that resource\n                  assignments for implementation will be adequately provided.\n\n\n Recommendations\n\n\n\n                  We recommend that OCFO\n\n                  1A.     Update the CM plan of eTravel to remove references that are obsolete\n                          and/or no longer applicable and add all missing information.\n\n                  1B.     Ensure that contractor support staff reviews application CM\n                          documentation at least annually and update the documentation when\n                          changes occur.\n\n\n\n\n5\n    Software Configuration Management\n                                                  7\n\x0cWe recommend that the Assistant Secretary for Community Planning and\nDevelopment\n\n1C.   Update the CM plan of IDIS Online to remove references that are obsolete\n      and/or no longer applicable and add all missing information.\n\n1D.   Ensure that contractor support staff reviews application CM\n      documentation at least annually and update the documentation when\n      changes occur.\n\n\n\n\n                              8\n\x0cFinding 2: HUD\xe2\x80\x99s CCMB Review and Approval Process Was Not\nConsistently Followed\nHUD did not ensure that its CCMB review and approval process was consistently followed. All\nsoftware products running in HUD\xe2\x80\x99s computing environment had not been CCMB approved, and\nsome products were not CCMB approved before pilot testing. OCIO managers did not believe\nthat software products owned and/or tested by its IT support contractors required CCMB\napproval. Failure to follow agency policies and procedures for effective agency CM controls\nincreases the risk of potential security impacts due to specific changes to an information system\nor its surrounding environment.\n\n\n\n    CCMB Review and Approval Process\n    Was Not Properly Followed\n\n\n                 We identified instances within HUD\xe2\x80\x99s CM process that demonstrated that HUD\n                 did not follow the CCMB review process properly. Specifically,\n\n                      \xef\x82\xb7   Although the majority of software products running in HUD\xe2\x80\x99s computing\n                          environment went through the formal CCMB process and obtained CCMB\n                          approval before their use, the Computer Associates (CA) Unicenter\n                          Service Desk (Service Desk),6 HUD\xe2\x80\x99s help desk application, which has\n                          been in use since 2007, was not approved by the CCMB.\n                      \xef\x82\xb7   CA Harvest, a software tool for use in the CM of source code and other\n                          software development assets, went through multiple pilot tests without\n                          prior CCMB approval. Compounding the issue, OCIO\xe2\x80\x99s Office of\n                          Enterprise Architecture determined in November 2007 that CA Harvest\n                          would not meet user needs and moving to CA Harvest would not be cost\n                          effective. However, pilot tests were conducted using CA Harvest over a\n                          2-year period, with no request submitted for CCMB review and evaluation\n                          of this tool. HUD has demonstrated a history of obtaining CCMB\n                          approval for software products before pilot testing, even if the products are\n                          ultimately not used.\n\n                 This condition occurred because the OCIO managers did not believe that software\n                 products owned and/or tested by its IT support contractors required CCMB\n                 approval.\n\n                 The HUD Project Leaders Guide to Preparing Submission for the Configuration\n                 Change Management Board states that the purpose of a platform configuration\n                 change management process is to ensure that all changes made to HUD\xe2\x80\x99s IT\n6\n  Service Desk is the help desk application used by HUD\xe2\x80\x99s IT contractor. The purpose of this application is to\nprovide HUD users with a customer-focused single point of contact for receiving consistent technical support by\npromptly and efficiently answering calls and providing personal customer assistance. In addition, it automates\nincident, problem, and change management as well as customer surveys.\n                                                        9\n\x0c                   infrastructure and system development platforms take place in accordance with a\n                   rational and orderly process. It also states that the most critical elements of the\n                   CCMB submission are the sections that provide the explanations as to (1) why a\n                   change to the IT infrastructure or systems development platform is necessary, (2)\n                   how the product or product version proposed to be added to the platform was\n                   selected, and (3) what will be involved in implementing the change. It\n                   emphasizes that the explanation for the need for change is very important,\n                   particularly if there already is a standard established for the general class of\n                   products. It states that the submission should address the functionality required\n                   that is not provided by the products currently available in the HUD infrastructure,\n                   as well as the criteria used to evaluate products, and the results of the evaluation.\n                   It strongly recommends that anyone thinking about proposing a new standard\n                   come to the CCMB to request concurrence with the idea that a new standard is\n                   needed before investing time and effort in researching products and conducting\n                   detailed evaluations.\n\n                   CCMB Classification, approved on May 17, 2006, has defined a pilot lifecycle as\n                   \xe2\x80\x9cProduct/standard to be used in conjunction with technology research efforts only\n                   (e.g. testing, pilots).\xe2\x80\x9d\n\n                   The HUD SDM, Version 6.06, Requirements Change, states that requirements\n                   changes must be approved by the project CCB (Change Control Board)7 before\n                   project resources are assigned to implement the change.\n\n                   NIST SP 800-64, Security Considerations in the System Development Life Cycle,\n                   states that an effective agency configuration management and control policy and\n                   associated procedures are essential to ensure adequate consideration of the\n                   potential security impacts due to specific changes to an information system or its\n                   surrounding environment. Further, it states that configuration management and\n                   control procedures are critical to establishing an initial baseline of hardware,\n                   software, and firmware components for the information system and subsequently\n                   for controlling and maintaining an accurate inventory of any changes to the\n                   system. Changes to the hardware, software, or firmware of a system can have a\n                   significant security impact. Documenting information system changes and\n                   assessing the potential impact on the security of the system on an ongoing basis is\n                   an essential aspect of maintaining the security accreditation.\n\n                   By not consistently following its CCMB approval process and ensuring that all\n                   software products are approved for testing and use, HUD increases its risk that\n                   products will not meet the needs of its users or the intended purpose of the\n                   software and that resources will be unnecessarily expended.\n\n\n\n\n7\n    Change Control Board serves as the decision-making body for each program area project.\n                                                         10\n\x0cConclusion\n\n\n\n             OCIO did not ensure that the CCMB review and approval process was\n             consistently followed. OCIO managers did not believe that software products\n             owned and/or tested by its IT support contractors required CCMB approval.\n             Failure to follow the CCMB review process increases HUD\xe2\x80\x99s risk that products\n             will not meet the needs of its users or the intended purpose of the software and\n             that resources will be unnecessarily expended.\n\n\n\n Recommendations\n\n\n             We recommend that OCIO\n\n             2A.    Ensure that Service Desk is approved by the CCMB.\n\n             2B.    Ensure that all products selected for the pilot test are approved by the\n                    CCMB before conducting the test.\n\n             2C.    Ensure that all products running on the HUD IT network infrastructure\n                    have obtained CCMB approval.\n\n\n\n\n                                             11\n\x0c                        SCOPE AND METHODOLOGY\n\nThe review covered the period October 1, 2008, through September 30, 2010. We performed the\naudit at HUD headquarters in Washington, DC, from March through November 2010. During\nour fiscal year 2009 review of information system security controls in support of the annual\nfinancial statement audit, we identified inconsistencies and weaknesses in the application of CM\npolicies and procedures at HUD. Consequently, this separate project was initiated to further\ndevelop the details of the deficiencies.\n\nOur review was based on guidance from publications by NIST and HUD\xe2\x80\x99s own SDM and CM\npolicies and procedures. These publications contain guidance for CM and control. We evaluated\ncontrols over the identification and management of security features for hardware, software, and\nfirmware components of an information system\n\nTo accomplish our objectives, we reviewed CM policies and procedures and discussed\nprocedures and practices with management and staff personnel responsible for CM.\n\nWe conducted the audit in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our audit objectives.\n\n\n\n\n                                               12\n\x0c                              INTERNAL CONTROLS\n\nInternal control is a process adopted by those charged with governance and management,\ndesigned to provide reasonable assurance about the achievement of the organization\xe2\x80\x99s mission,\ngoals, and objectives with regard to\n\n     \xef\x82\xb7   Effectiveness and efficiency of operations,\n     \xef\x82\xb7   Reliability of financial reporting, and\n     \xef\x82\xb7   Compliance with applicable laws and regulations.\n\nInternal controls comprise the plans, policies, methods, and procedures used to meet the\norganization\xe2\x80\x99s mission, goals, and objectives. Internal controls include the processes and\nprocedures for planning, organizing, directing, and controlling program operations as well as the\nsystems for measuring, reporting, and monitoring program performance.\n\n\n Relevant Internal Controls\n\n               We determined that the following internal controls were relevant to our audit\n               objectives:\n                   \xef\x82\xb7\xef\x80\xa0 Policies, procedures, control systems, and other management tools used\n                      for implementation of security and technical controls for HUD\xe2\x80\x99s system\n                      security.\n                   \xef\x82\xb7\xef\x80\xa0 Policies, procedures, controls, and other management tools implemented\n                      to detect, prevent, and resolve security incidents.\n\n               We assessed the relevant controls identified above.\n\n               A deficiency in internal control exists when the design or operation of a control does\n               not allow management or employees, in the normal course of performing their\n               assigned functions, the reasonable opportunity to prevent, detect, or correct (1)\n               impairments to effectiveness or efficiency of operations, (2) misstatements in\n               financial or performance information, or (3) violations of laws and regulations on a\n               timely basis.\n\n Significant Deficiency\n\n               Based on our review, we believe that the following item is a significant deficiency:\n\n               \xef\x82\xb7   HUD did not consistently perform CM control activities and monitor\n                   implementation of required HUD and NIST policies (findings 1 and 2).\n\n\n\n\n                                                 13\n\x0c                        APPENDIX A\n\n\n         OCFO\xe2\x80\x99s COMMENTS AND OIG\xe2\x80\x99S EVALUATION\n\n\nRef to OIG Evaluation      Auditee Comments\n\n\n\n\nComment 1\n\n\n\nComment 2\n\n\n\n\n                            14\n\x0c                       OIG Evaluation of OCFO\xe2\x80\x99s Comments\n\nComment 1   OIG agrees with OCFO\xe2\x80\x99s comment and planned corrective action.\n\nComment 2   OIG agrees with OCFO\xe2\x80\x99s comment and planned corrective action.\n\n\n\n\n                                         15\n\x0c            CPD\xe2\x80\x99s COMMENTS AND OIG\xe2\x80\x99S EVALUATION\n\n\nRef to OIG Evaluation      Auditee Comments\n\n\n\n\nComment 1\n\n\n\n\n                            16\n\x0c                        OIG Evaluation of CPD\xe2\x80\x99s Comments\n\nComment 1   OIG agrees with CPD\xe2\x80\x99s comment and planned corrective action.\n\n\n\n\n                                          17\n\x0c          OCIO\xe2\x80\x99s COMMENTS AND OIG\xe2\x80\x99S EVALUATION\n\n\nRef to OIG Evaluation     Auditee Comments\n\n\n\n\n                           18\n\x0cRef to OIG Evaluation   Auditee Comments\n\n\n\n\nComment 1\n\n\n\nComment 2\n\n\n\nComment 3\n\n\n\n\n                         19\n\x0c                       OIG Evaluation of OCIO\xe2\x80\x99s Comments\n\nComment 1   OIG agrees with OCIO\xe2\x80\x99s comments.\n\nComment 2   OIG agrees with OCIO\xe2\x80\x99s comment.\n\nComment 3   OIG agrees with OCIO\xe2\x80\x99s comment.\n\n\n\n\n                                        20\n\x0c'